|
| ||
| Server Busy Virus - Hijack log Hello all - This is my first post here and I would really appreciate some advice. I found a similar thread from a few years back, but from what I understand, it's preferred that I start my own thread. The problem I'm having is 2-fold. First, I'm getting this Server Busy box that pops up. It has two buttons: switch to or retry. I cannot make it close by clicking the close button. It comes up sporadically and stays for about a minute or so then just goes away. Second, although I use firefox, this virus keeps opening up internet explorer. Periodically while I'm using the computer, it will open 3-4 IE windows and it takes me a while to get them closed. I've done everything that I know how: I ran a full system scan with McAfee (recently updated) and I ran an updated version of Spybot and AdAware. I don't know what else to do. I did run hijackthis and the log file is below. I don't know what to do with this information. Any help at all would be greatly appreciated. Thank you - Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 3:20:22 PM, on 1/26/2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16574) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe C:\Program Files\Common Framework\UdaterUI.exe C:\Program Files\iTunes\iTunesHelper.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe C:\PROGRA~1\SMANTE~1\attrib.exe C:\WINDOWS\SYSTEM32\s?mbols\??rss.exe C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe C:\Program Files\Common Framework\McTray.exe C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe C:\Program Files\Common Framework\FrameworkService.exe C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE C:\Program Files\iPod\bin\iPodService.exe C:\WINDOWS\system32\DllHost.exe c:\PROGRA~1\COMMON~1\MICROS~1\MSINFO\OFFPROV.EXE C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe C:\Documents and Settings\All Users\Desktop\HJT\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://gmail.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Insight Broadband O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - c:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan Enterprise\scriptcl.dll O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.615.5858\swg.dll O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll O4 - HKLM\..\Run: [SystemTray] SysTray.Exe O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Common Framework\UdaterUI.exe" /StartedFromRunKey O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" O4 - HKLM\..\Run: [SAClient] "C:\Program Files\Insight\BBClient\Programs\RegCon.exe" O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe O4 - HKCU\..\Run: [Alab] "C:\PROGRA~1\SMANTE~1\attrib.exe" -vt yazb O4 - HKCU\..\Run: [Pdcyrpxd] "C:\Program Files\Common Files\??curity\j?vaw.exe" O4 - HKCU\..\Run: [Nlsh] C:\WINDOWS\SYSTEM32\s?mbols\??rss.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS\SYSTEM32\E_SRCV02.EXE O4 - Global Startup: PowerReg SchedulerV2.exe O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ? O4 - Global Startup: VPN Client.lnk = ? O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra button: Dell Home - {480D4400-8AAA-11D5-A3D6-00065B18E505} - http://education.dellnet.com/ (file missing) (HKCU) O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll O12 - Plugin for .cdx: C:\PROGRA~1\INTERN~1\PLUGINS\Npcdp32.dll O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll O14 - IERESET.INF: START_PAGE_URL=http://www.insightbb.com O16 - DPF: {22D6F312-B0F6-11D0-94AB-0080C74C7E95} (Windows Media Player) - http://activex.microsoft.com/activex...n/nsmp2inf.cab O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\Common Framework\FrameworkService.exe O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe -- End of file - 6806 bytes |
| ||
| Re: Server Busy Virus - Hijack log Hi dabadalorian and welcome to DaniWeb Download Combofix from any of the links below, and save it to your desktop. Link 1 Link 2 Link 3 **Note: It is important that it is saved directly to your desktop** -------------------------------------------------------------------- 1. Close any open browsers. 2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix. If your not sure how to disable them then double-check against the list found >>>HERE<<< This list is not all inclusive, if your programs are not listed and you are unsure then please ask before continuing. -------------------------------------------------------------------- Double click on combofix.exe & follow the prompts.
Do not mouseclick combofix's window while it's running. That may cause it to stall |
| ||
| Re: Server Busy Virus - Hijack log MoralTerror - Thanks for the advice. Prior to your suggestions, I had hjt fix the problems: O4 - HKCU\..\Run: [Pdcyrpxd] "C:\Program Files\Common Files\??curity\j?vaw.exe" O4 - HKCU\..\Run: [Nlsh] C:\WINDOWS\SYSTEM32\s?mbols\??rss.exe I then cleared out my temporary files folder and rebooted. So far, this has seem to solve the problems (at least it has alleviated the symptoms for now). If I find that the problem has not really gone away, I will follow your advice. Thanks. |
| ||
| Re: Server Busy Virus - Hijack log Those entries are PurityScan which will have several files strewn on the system, running combofix will make sure there are no leftovers remaining |
| ||
| Re: Server Busy Virus - Hijack log MoralTerror - You were correct. The problem went away for a day or two, then came back. I have posted the combofix and new HJT output logs. TIA for any help. ComboFix 08-01-30.1 - Default 2008-01-29 18:01:33.1 - FAT32x86 Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.91 [GMT -6:00] Running from: C:\Documents and Settings\Default\Desktop\ComboFix.exe * Created a new restore point WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !! . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\Documents and Settings\Default\Start Menu\Programs\Outerinfo C:\Documents and Settings\Default\Start Menu\Programs\Outerinfo\Terms.lnk C:\Documents and Settings\Default\Start Menu\Programs\Outerinfo\Uninstall.lnk C:\Program Files\Common Files\curity~1 C:\Program Files\Common Files\mcroso~1.net C:\Program Files\Common Files\mcroso~1.net\??erinit.exe C:\Program Files\outerinfo C:\Program Files\outerinfo\FF\chrome.manifest C:\Program Files\outerinfo\FF\components\FF.dll C:\Program Files\outerinfo\FF\components\OuterinfoAds.xpt C:\Program Files\outerinfo\FF\install.rdf C:\Program Files\outerinfo\OiUninstaller.exe C:\Program Files\outerinfo\outerinfo.ico C:\Program Files\outerinfo\Terms.rtf C:\Program Files\smante~1 C:\Program Files\smante~1\attrib.exe C:\Program Files\smante~1\S?mantec\ C:\WINDOWS\mrofinu572.exe C:\WINDOWS\setup.exe C:\WINDOWS\start.exe C:\WINDOWS\system32\hqb.dll C:\WINDOWS\system32\mcroso~1.net C:\WINDOWS\system32\pac.txt C:\WINDOWS\system32\smbols~1 C:\WINDOWS\Web\default.htt . ((((((((((((((((((((((((( Files Created from 2007-12-28 to 2008-01-30 ))))))))))))))))))))))))))))))) . 2008-01-28 14:54 . 2008-01-28 14:54 <DIR> d-------- C:\Program Files\Common Files\?ppPatch 2008-01-25 23:23 . 2008-01-25 23:23 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft 2008-01-25 23:22 . 2008-01-25 23:22 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard 2008-01-25 18:22 . 2006-12-19 15:06 1,495,552 --a------ C:\WINDOWS\SYSTEM32\epoPGPsdk.dll 2008-01-25 18:22 . 2006-12-19 15:06 280 --a------ C:\WINDOWS\SYSTEM32\epoPGPsdk.dll.sig 2008-01-25 18:21 . 2007-02-22 20:50 170,408 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\mfehidk.sys 2008-01-25 18:21 . 2006-11-30 08:50 72,264 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\mfeavfk.sys 2008-01-25 18:21 . 2006-11-30 08:50 64,360 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\mfeapfk.sys 2008-01-25 18:21 . 2006-11-30 08:50 52,136 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\mfetdik.sys 2008-01-25 18:21 . 2006-11-30 08:50 34,152 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\mfebopk.sys 2008-01-25 18:18 . 2008-01-25 18:18 <DIR> d-------- C:\Program Files\McAfee 2008-01-25 18:18 . 2008-01-25 18:18 <DIR> d-------- C:\Program Files\Common Files\McAfee 2008-01-25 08:38 . 2008-01-25 08:38 4,286 --a------ C:\WINDOWS\SYSTEM32\everybodybets.32x32.4.ico 2008-01-22 23:45 . 2008-01-22 23:45 <DIR> d-------- C:\WINDOWS\SYSTEM32\nGpxx01 2008-01-22 23:45 . 2008-01-22 23:45 <DIR> d-------- C:\temp\cXzz9 2008-01-22 23:44 . 2008-01-22 23:44 <DIR> d-------- C:\quarantine 2007-12-14 11:32 . 2007-12-14 11:32 12,632 --a------ C:\WINDOWS\SYSTEM32\lsdelete.exe . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-01-28 20:54 --------- d-----w C:\Program Files\Common Files\?ppPatch 2007-11-07 09:26 721,920 ----a-w C:\WINDOWS\SYSTEM32\lsasrv.dll 2007-11-07 09:26 721,920 ------w C:\WINDOWS\SYSTEM32\dllcache\lsasrv.dll 2007-10-30 23:42 3,590,656 ------w C:\WINDOWS\SYSTEM32\dllcache\mshtml.dll 2007-10-30 17:20 360,064 ------w C:\WINDOWS\SYSTEM32\dllcache\tcpip.sys 2007-10-29 22:43 1,287,680 ----a-w C:\WINDOWS\SYSTEM32\quartz.dll 2007-10-29 22:43 1,287,680 ------w C:\WINDOWS\SYSTEM32\dllcache\quartz.dll 2007-10-26 03:34 8,460,288 ----a-w C:\WINDOWS\SYSTEM32\dllcache\shell32.dll 2007-10-10 23:56 824,832 ----a-w C:\WINDOWS\SYSTEM32\wininet.dll 2007-10-10 23:56 824,832 ------w C:\WINDOWS\SYSTEM32\dllcache\wininet.dll 2007-10-10 23:56 671,232 ------w C:\WINDOWS\SYSTEM32\dllcache\mstime.dll 2007-10-10 23:56 232,960 ------w C:\WINDOWS\SYSTEM32\dllcache\webcheck.dll 2007-10-10 23:56 105,984 ------w C:\WINDOWS\SYSTEM32\dllcache\url.dll 2007-10-10 23:56 102,400 ------w C:\WINDOWS\SYSTEM32\dllcache\occache.dll 2007-10-10 23:56 1,159,680 ------w C:\WINDOWS\SYSTEM32\dllcache\urlmon.dll 2007-10-10 23:55 63,488 ------w C:\WINDOWS\SYSTEM32\dllcache\icardie.dll 2007-10-10 23:55 6,065,664 ------w C:\WINDOWS\SYSTEM32\dllcache\ieframe.dll 2007-10-10 23:55 52,224 ------w C:\WINDOWS\SYSTEM32\dllcache\msfeedsbs.dll 2007-10-10 23:55 478,208 ------w C:\WINDOWS\SYSTEM32\dllcache\mshtmled.dll 2007-10-10 23:55 459,264 ------w C:\WINDOWS\SYSTEM32\dllcache\msfeeds.dll 2007-10-10 23:55 44,544 ------w C:\WINDOWS\SYSTEM32\dllcache\iernonce.dll 2007-10-10 23:55 384,512 ------w C:\WINDOWS\SYSTEM32\dllcache\iedkcs32.dll 2007-10-10 23:55 383,488 ------w C:\WINDOWS\SYSTEM32\dllcache\ieapfltr.dll 2007-10-10 23:55 27,648 ------w C:\WINDOWS\SYSTEM32\dllcache\jsproxy.dll 2007-10-10 23:55 267,776 ------w C:\WINDOWS\SYSTEM32\dllcache\iertutil.dll 2007-10-10 23:55 230,400 ------w C:\WINDOWS\SYSTEM32\dllcache\ieaksie.dll 2007-10-10 23:55 214,528 ------w C:\WINDOWS\SYSTEM32\dllcache\dxtrans.dll 2007-10-10 23:55 193,024 ------w C:\WINDOWS\SYSTEM32\dllcache\msrating.dll 2007-10-10 23:55 153,088 ------w C:\WINDOWS\SYSTEM32\dllcache\ieakeng.dll 2007-10-10 23:55 132,608 ------w C:\WINDOWS\SYSTEM32\dllcache\extmgr.dll 2007-10-10 23:55 124,928 ------w C:\WINDOWS\SYSTEM32\dllcache\advpack.dll 2007-10-10 10:59 70,656 ------w C:\WINDOWS\SYSTEM32\dllcache\ie4uinit.exe 2007-10-10 10:59 625,152 ------w C:\WINDOWS\SYSTEM32\dllcache\iexplore.exe 2007-10-10 10:59 13,824 ------w C:\WINDOWS\SYSTEM32\dllcache\ieudinit.exe 2007-10-10 05:46 161,792 ------w C:\WINDOWS\SYSTEM32\dllcache\ieakui.dll 2007-04-06 17:22 38,600 ----a-w C:\Documents and Settings\Default\Application Data\GDIPFONTCACHEV1.DAT 2003-10-23 02:07 793 ----a-w C:\Program Files\INSTALL.LOG 2003-01-30 03:43 3,596,784 ----a-w C:\Program Files\mpfull.exe 2001-08-07 02:29 266 --sh--w C:\Program Files\desktop.ini 2001-08-07 02:29 11,079 ---h--w C:\Program Files\folder.htt . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\SlowFile Icon Overlay] @={7D688A77-C613-11D0-999B-00C04FD655E1} [HKEY_CLASSES_ROOT\CLSID\{7D688A77-C613-11D0-999B-00C04FD655E1}] 2007-10-25 21:34 8460288 --a------ C:\WINDOWS\SYSTEM32\SHELL32.DLL [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 02:56 15360] "swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-04-04 04:23 68856] "Alab"="C:\PROGRA~1\SMANTE~1\attrib.exe" [ ] "Obed"="C:\Program Files\Common Files\M?crosoft.NET\??erinit.exe" [ ] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "SystemTray"="SysTray.Exe" [2003-03-31 12:00 3072 C:\WINDOWS\SYSTEM32\systray.exe] "WorksFUD"="C:\Program Files\Microsoft Works\wkfud.exe" [2001-10-05 19:34 24576] "Microsoft Works Portfolio"="C:\Program Files\Microsoft Works\WksSb.exe" [2001-08-23 16:52 331830] "Microsoft Works Update Detection"="C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe" [2001-08-16 23:41 28738] "McAfeeUpdaterUI"="C:\Program Files\Common Framework\UdaterUI.exe" [2006-12-19 11:27 136768] "QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-02-16 10:54 282624] "iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-03-14 19:05 257088] "Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 19:51 39792] "SAClient"="C:\Program Files\Insight\BBClient\Programs\RegCon.exe" [2004-11-17 09:19 299008] "ShStatEXE"="C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.exe" [2007-02-22 20:50 112216] C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\Osa9.exe [1999-02-17 20:05:56 65588] EPSON Status Monitor 3 Environment Check 2.lnk - C:\WINDOWS\SYSTEM32\E_SRCV02.EXE [2001-09-12 21:51:18 121856] PowerReg SchedulerV2.exe [2001-09-12 22:05:56 256000] Microsoft Works Calendar Reminders.lnk - C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe [2001-08-07 18:06:54 24633] VPN Client.lnk - C:\WINDOWS\Installer\{D25122BC-A60E-4663-B602-B01718F12044}\Icon3E5562ED7.ico [2006-07-02 08:56:22 6144] [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\setup\disabledrunkeys] "Matrox Powerdesk"=C:\WINDOWS\SYSTEM32\PDESK.EXE /Autolaunch "LoadPowerProfile"=Rundll32.exe powrprof.dll,LoadCurrentPwrScheme "TCASUTIEXE"=TCAUDIAG -off "WheelMouse"=C:\PROGRA~1\FELLOWES\WEBPRO~1\wh_exec.exe "QuickTime Task"="C:\WINDOWS\SYSTEM32\qttask.exe" -atboottime "TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>IEPerUser] RUNDLL32.EXE IEDKCS32.DLL,BrandIE4 SIGNUP [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{44BBA840-CC51-11CF-AAFA-00AA00B6015C}] "C:\PROGRA~1\OUTLOO~1\setup50.exe" /APP:OE /CALLER:IE50 /user /install [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{44BBA840-CC51-11CF-AAFA-00AA00B6015C}.Restore] rundll32.exe advpack.dll,UserUnInstStubWrapper {44BBA840-CC51-11CF-AAFA-00AA00B6015C} [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{44BBA840-CC51-11CF-AAFA-00AA00B6015C}.Restore] rundll32.exe advpack.dll,UserUnInstStubWrapper {44BBA840-CC51-11CF-AAFA-00AA00B6015C} "C:\PROGRA~1\OUTLOO~1\setup50.exe" /APP:OE /CALLER:IE50 /user /uninstall [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{7790769C-0471-11d2-AF11-00C04FA35D02}] "C:\PROGRA~1\OUTLOO~1\setup50.exe" /APP:WAB /CALLER:WIN9X /user /install [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{7790769C-0471-11d2-AF11-00C04FA35D02}] "C:\PROGRA~1\OUTLOO~1\setup50.exe" /APP:WAB /CALLER:WIN9X /user /install "C:\PROGRA~1\OUTLOO~1\setup50.exe" /APP:WAB /CALLER:IE50 /user /install [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{9EF0045A-CDD9-438e-95E6-02B9AFEC8E11}] C:\WINDOWS\SYSTEM32\updcrl.exe -e -u C:\WINDOWS\SYSTEM\verisignpub1.crl . Contents of the 'Scheduled Tasks' folder "2008-01-06 05:00:02 C:\WINDOWS\Tasks\Tune-up Application Start.job" "2008-01-27 05:20:10 C:\WINDOWS\Tasks\QIC Messenger Bkup.job" - C:\Program Files\Insight\BBClient\Programs\QICMessenger.exe "2008-01-27 16:47:24 C:\WINDOWS\Tasks\QIC Autoupdate.job" - C:\Program Files\Insight\BBClient\Programs\AutoUpdate.exe "2008-01-27 18:05:02 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job" - C:\Program Files\Apple Software Update\SoftwareUpdate.exe "2008-01-29 21:04:34 C:\WINDOWS\Tasks\QIC Messenger Periodic.job" - C:\Program Files\Insight\BBClient\Programs\QICMessenger.exe . ************************************************************************** catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-01-29 18:05:10 Windows 5.1.2600 Service Pack 2 FAT NTAPI scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . Completion time: 2008-01-29 18:05:50 ComboFix-quarantined-files.txt 2008-01-30 00:05:48 . 2008-01-10 09:03:53 --- E O F --- Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 6:11:34 PM, on 1/29/2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16574) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe C:\Program Files\Common Framework\UdaterUI.exe C:\Program Files\iTunes\iTunesHelper.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe C:\Program Files\Common Framework\McTray.exe C:\PROGRA~1\SMANTE~1\attrib.exe C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe C:\Program Files\Common Framework\FrameworkService.exe C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE C:\Program Files\iPod\bin\iPodService.exe C:\Program Files\Common Files\M?crosoft.NET\??erinit.exe c:\PROGRA~1\COMMON~1\MICROS~1\MSINFO\OFFPROV.EXE C:\WINDOWS\explorer.exe C:\Documents and Settings\All Users\Desktop\HJT\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://gmail.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - c:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan Enterprise\scriptcl.dll O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.615.5858\swg.dll O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll O4 - HKLM\..\Run: [SystemTray] SysTray.Exe O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Common Framework\UdaterUI.exe" /StartedFromRunKey O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" O4 - HKLM\..\Run: [SAClient] "C:\Program Files\Insight\BBClient\Programs\RegCon.exe" O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe O4 - HKCU\..\Run: [Alab] "C:\PROGRA~1\SMANTE~1\attrib.exe" -vt yazb O4 - HKCU\..\Run: [Obed] "C:\Program Files\Common Files\M?crosoft.NET\??erinit.exe" O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS\SYSTEM32\E_SRCV02.EXE O4 - Global Startup: PowerReg SchedulerV2.exe O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ? O4 - Global Startup: VPN Client.lnk = ? O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra button: Dell Home - {480D4400-8AAA-11D5-A3D6-00065B18E505} - http://education.dellnet.com/ (file missing) (HKCU) O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll O12 - Plugin for .cdx: C:\PROGRA~1\INTERN~1\PLUGINS\Npcdp32.dll O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll O14 - IERESET.INF: START_PAGE_URL=http://www.insightbb.com O16 - DPF: {22D6F312-B0F6-11D0-94AB-0080C74C7E95} (Windows Media Player) - http://activex.microsoft.com/activex...n/nsmp2inf.cab O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\Common Framework\FrameworkService.exe O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe -- End of file - 6606 bytes |
| ||
| Re: Server Busy Virus - Hijack log 2 Attachment(s) Hi dabadalorian still some there. First do this Go to Microsoft's website => http://support.microsoft.com/kb/310994 Select the download that's appropriate for your Operating System Attachment 4939 Download the file & save it as its originally named, next to ComboFix.exe. Attachment 4940 Now close all open windows and programs, then drag the setup package onto ComboFix.exe and drop it. Follow the prompts to start ComboFix and when prompted, agree to the End-User License Agreement to install the Microsoft Recovery Console. When complete, a log named CF_RC.txt will open. Please post the contents of that log. Please do not reboot your machine until we have reviewed the log. |
| ||
| Re: Server Busy Virus - Hijack log I tried doing what you said. I downloaded the file for my operating system (Windows XP home edition Service Pack 2) from this site: http://www.microsoft.com/downloads/d...displaylang=en Then I closed all windows, turned off anti-virus and dragged and dropped the new icon onto the combofix icon. It started to go then gave a quick message that said something like CBoot.ini improperly... or something to that affect, then the window closed. No report. Not sure what went wrong. |
| ||
| Re: Server Busy Virus - Hijack log Just to update the previous post, the exact message that comes up is: CBoot.ini is not properly formatted. It comes up for a second or two, then goes away. TIA again for any help. |
| ||
| Re: Server Busy Virus - Hijack log OK Delete your copy of ComboFix.exe and download an updated copy from here. Save ComboFix to your desktop then drag the Microsoft file you downloaded earlier onto the new ComboFix. Post the CF_RC.txt Remember not to reboot until we have reviewed the log |
| ||
| Re: Server Busy Virus - Hijack log Just did as you suggested, but got the same message and no txt file. |
| All times are GMT -4. The time now is 8:38 am. |
Forum system based on vBulletin Copyright ©2000 - 2009, Jelsoft Enterprises Ltd.
©2003 - 2009 DaniWeb® LLC